Re: [TLS] Rethink TLS 1.3

Nico Williams <nico@cryptonector.com> Mon, 24 November 2014 17:00 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62BF1A8729 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 09:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbtaP7rWPNMw for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 09:00:06 -0800 (PST)
Received: from homiemail-a67.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id AE8931A6EF4 for <tls@ietf.org>; Mon, 24 Nov 2014 09:00:06 -0800 (PST)
Received: from homiemail-a67.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a67.g.dreamhost.com (Postfix) with ESMTP id 510EA27BC06F; Mon, 24 Nov 2014 09:00:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=VLv6N5prfKKViZ FSGe1dpA1suH4=; b=GoFnjcfOWkLY3NzQUUfXVScWpUb/36sh5oZxjirg56ILjI +m3yf3ytEReCjwrSVUZsEnWwl19bakyqH0VM3ON8HToat9KhOKmtrK6EUFVP1fUm Xb/kmgsIbkFmwl96TX6/rdIHAI/R3aIMSpYPKGMcns+Wrene4lTyqskcv/bLQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a67.g.dreamhost.com (Postfix) with ESMTPA id 0BF4227BC06B; Mon, 24 Nov 2014 09:00:05 -0800 (PST)
Date: Mon, 24 Nov 2014 11:00:05 -0600
From: Nico Williams <nico@cryptonector.com>
To: Florian Weimer <fweimer@redhat.com>
Message-ID: <20141124170003.GI3200@localhost>
References: <CACsn0ckmYrx+S--pP6P7VgjsmqQsoYnp+m-9hTPT-OJ9waUtkA@mail.gmail.com> <5470742A.8020002@streamsec.se> <CACsn0cnKqkHxw0Hudw0OGM1mVxZKJhj04ig2G3KtURtWhYTacw@mail.gmail.com> <20141124101744.GC3200@localhost> <547308E2.6060809@streamsec.se> <20141124104226.GE3200@localhost> <54730E1D.8060104@streamsec.se> <20141124105948.GH3200@localhost> <54731F57.5000803@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <54731F57.5000803@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/rVpXZAkcKBJ1T8VwE545l4Ax_4c
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Rethink TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 17:00:07 -0000

On Mon, Nov 24, 2014 at 01:06:47PM +0100, Florian Weimer wrote:
> I really doubt that when people talked about the Internet threat
> model ten, fifteen years ago, they had adaptive chosen plaintext
> attacks in mind.  For example, they are not discussed in
> <http://tools.ietf.org/html/draft-rescorla-sec-cons-05> (as far as I
> can tell).  If such attacks are covered by the Internet threat model
> today, the model has evolved considerably.

They are active attacks by an attacker with full control of the network
between the end-points under attack.  Therefore they fall squarely under
the traditional Internet threat model.  We have to take into account
even attacks that today seem difficult to mount (as this one seemed not
that long ago), but we can't predict future new active attacks.  And yet
new future active attacks will still be active attacks.

I'm not saying that the Internet threat model doesn't require updating
(it does, at least as to massive adversary capabilities).  I'm saying we
shouldn't blame TLS's shortcommings on the Internet threat model.  The
latter is very high-level, and can't cover every eventually in its small
print, but in its high-level view, adaptive chosen plaintext attacks
were covered.

Nico
--